Source code

001/*
002 * CDDL HEADER START
003 *
004 * The contents of this file are subject to the terms of the
005 * Common Development and Distribution License, Version 1.0 only
006 * (the "License").  You may not use this file except in compliance
007 * with the License.
008 *
009 * You can obtain a copy of the license at legal-notices/CDDLv1_0.txt
010 * or http://forgerock.org/license/CDDLv1.0.html.
011 * See the License for the specific language governing permissions
012 * and limitations under the License.
013 *
014 * When distributing Covered Code, include this CDDL HEADER in each
015 * file and include the License file at legal-notices/CDDLv1_0.txt.
016 * If applicable, add the following below this CDDL HEADER, with the
017 * fields enclosed by brackets "[]" replaced with your own identifying
018 * information:
019 *      Portions Copyright [yyyy] [name of copyright owner]
020 *
021 * CDDL HEADER END
022 *
023 *
024 *      Copyright 2013-2015 ForgeRock AS
025 */
026package org.opends.server.protocols.http;
027
028import static org.forgerock.audit.events.AccessAuditEventBuilder.accessEvent;
029import static org.forgerock.json.resource.Requests.newCreateRequest;
030import static org.forgerock.json.resource.ResourcePath.resourcePath;
031
032import java.util.concurrent.TimeUnit;
033
034import org.forgerock.audit.events.AccessAuditEventBuilder;
035import org.forgerock.http.Filter;
036import org.forgerock.http.Handler;
037import org.forgerock.http.MutableUri;
038import org.forgerock.http.protocol.Form;
039import org.forgerock.http.protocol.Request;
040import org.forgerock.http.protocol.Response;
041import org.forgerock.http.protocol.Status;
042import org.forgerock.json.resource.CreateRequest;
043import org.forgerock.json.resource.RequestHandler;
044import org.forgerock.services.context.ClientContext;
045import org.forgerock.services.context.Context;
046import org.forgerock.services.context.RequestAuditContext;
047import org.forgerock.util.promise.NeverThrowsException;
048import org.forgerock.util.promise.Promise;
049import org.forgerock.util.promise.PromiseImpl;
050import org.forgerock.util.promise.ResultHandler;
051import org.forgerock.util.promise.RuntimeExceptionHandler;
052import org.forgerock.util.time.TimeService;
053
054/**
055 * This filter aims to send some access audit events to the AuditService managed as a CREST handler.
056 */
057public class CommonAuditHttpAccessAuditFilter implements Filter {
058
059    private static Response newInternalServerError() {
060        return new Response(Status.INTERNAL_SERVER_ERROR);
061
062    }
063
064    private final RequestHandler auditServiceHandler;
065    private final TimeService time;
066    private final String productName;
067
068    /**
069     * Constructs a new HttpAccessAuditFilter.
070     *
071     * @param productName The name of product generating the event.
072     * @param auditServiceHandler The {@link RequestHandler} to publish the events.
073     * @param time The {@link TimeService} to use.
074     */
075    public CommonAuditHttpAccessAuditFilter(String productName, RequestHandler auditServiceHandler, TimeService time) {
076        this.productName = productName;
077        this.auditServiceHandler = auditServiceHandler;
078        this.time = time;
079    }
080
081    @Override
082    public Promise<Response, NeverThrowsException> filter(Context context, Request request, Handler next) {
083        ClientContext clientContext = context.asContext(ClientContext.class);
084
085        AccessAuditEventBuilder<?> accessAuditEventBuilder = accessEvent();
086
087        String protocol = clientContext.isSecure() ? "HTTPS" : "HTTP";
088        accessAuditEventBuilder
089                .eventName(productName + "-" + protocol + "-ACCESS")
090                .timestamp(time.now())
091                .transactionIdFromContext(context)
092                .serverFromContext(clientContext)
093                .clientFromContext(clientContext)
094                .httpRequest(clientContext.isSecure(),
095                             request.getMethod(),
096                             getRequestPath(request.getUri()),
097                             new Form().fromRequestQuery(request),
098                             request.getHeaders().copyAsMultiMapOfStrings());
099
100        final PromiseImpl<Response, NeverThrowsException> promiseImpl = PromiseImpl.create();
101        try {
102            next.handle(context, request)
103                    .thenOnResult(onResult(context, accessAuditEventBuilder, promiseImpl))
104                    .thenOnRuntimeException(
105                            onRuntimeException(context, accessAuditEventBuilder, promiseImpl));
106        } catch (RuntimeException e) {
107            onRuntimeException(context, accessAuditEventBuilder, promiseImpl).handleRuntimeException(e);
108        }
109
110        return promiseImpl;
111    }
112
113    // See HttpContext.getRequestPath
114    private String getRequestPath(MutableUri uri) {
115        return new StringBuilder()
116            .append(uri.getScheme())
117            .append("://")
118            .append(uri.getRawAuthority())
119            .append(uri.getRawPath()).toString();
120    }
121
122    private ResultHandler<? super Response> onResult(final Context context,
123                                                     final AccessAuditEventBuilder<?> accessAuditEventBuilder,
124                                                     final PromiseImpl<Response, NeverThrowsException> promiseImpl) {
125        return new ResultHandler<Response>() {
126            @Override
127            public void handleResult(Response response) {
128                sendAuditEvent(response, context, accessAuditEventBuilder);
129                promiseImpl.handleResult(response);
130            }
131
132        };
133    }
134
135    private RuntimeExceptionHandler onRuntimeException(final Context context,
136            final AccessAuditEventBuilder<?> accessAuditEventBuilder,
137            final PromiseImpl<Response, NeverThrowsException> promiseImpl) {
138        return new RuntimeExceptionHandler() {
139            @Override
140            public void handleRuntimeException(RuntimeException exception) {
141                // TODO How to be sure that the final status code sent back with the response will be a 500 ?
142                final Response errorResponse = newInternalServerError();
143                sendAuditEvent(errorResponse, context, accessAuditEventBuilder);
144                promiseImpl.handleResult(errorResponse.setCause(exception));
145            }
146        };
147    }
148
149    private void sendAuditEvent(final Response response,
150                                final Context context,
151                                final AccessAuditEventBuilder<?> accessAuditEventBuilder) {
152        RequestAuditContext requestAuditContext = context.asContext(RequestAuditContext.class);
153        long elapsedTime = time.now() - requestAuditContext.getRequestReceivedTime();
154        accessAuditEventBuilder.httpResponse(response.getHeaders().copyAsMultiMapOfStrings());
155        accessAuditEventBuilder.response(mapResponseStatus(response.getStatus()),
156                                         String.valueOf(response.getStatus().getCode()),
157                                         elapsedTime,
158                                         TimeUnit.MILLISECONDS);
159
160        CreateRequest request =
161            newCreateRequest(resourcePath("/http-access"), accessAuditEventBuilder.toEvent().getValue());
162        auditServiceHandler.handleCreate(context, request);
163    }
164
165    private static AccessAuditEventBuilder.ResponseStatus mapResponseStatus(Status status) {
166        switch(status.getFamily()) {
167        case CLIENT_ERROR:
168        case SERVER_ERROR:
169            return AccessAuditEventBuilder.ResponseStatus.FAILED;
170        default:
171            return AccessAuditEventBuilder.ResponseStatus.SUCCESSFUL;
172        }
173    }
174}